EvilZone

I was a "production" employee at an ISP tech support center, the amount of fail they had in there systems was epic. People like me, and people like in "production" WILL break things. Don't assume all others are stupid. I ran circles around the IT at my last job, and they all thought it was my supervisor. I quite on my own terms and my supervisor is still there, just don't underestimate the little guys. I did stuff to break systems in a few jobs I had, Lulz use putty again I DARE ya Mr telemarketer.

I think you're missing the idea here


Security should be designed into your software, not added in as an after thought. This whole "it doesnt matter its a quick fix now" ideology is stupid


Design the software with security in mind, dont design it to have security patched in later. It will not be as effective.

You take input and sanitize it.



Lets say if you check for that string specifically... would it cover


<?php echo phpinfo(INFO_MODULES); ?> or any number of other ways it can be modified? how about every other way other tags can possibly be implemented? You dont strip entire bits of code... you strip santize what makes it code.

The PHP tags/code wouldn't be able to execute unless you ran it through eval().

This is a classic XSS example. I suggest you read up on it. Why don't you just filter everything with htmlspecialchars() or htmlentities()? I sure hope you are escaping the database query with PDO prepared statements or mysql_real_escape_string()

Yes i have my queries secured thanks !! I know im XSS vulnerable right now but its ok because im in development stage , for one moment i thought that im exposing my server to a server side script. But im safe ! Client side attacks are harmless for the server (i think )

Why not remove or reject the entries?

so then why don't don't you use regex and strip the tags, or just remove the text along with those tags...? however I am sure there are better ways to do it